November 2016

November 30, 2016

Thanks to friend and colleague Tina Ayiotis for submitting the following review of Locked Down: Practical Information Security for Lawyers (2nd Edition, ABA 2016). John and I also thank our co-author of the book, Dave Ries, whose expertise contributed so much to the book.

As someone who read (and reviewed the first edition, I was delighted to find the second edition even more readable and relevant. There shouldn't be any doubt today regarding the need for lawyers to be competent about how to protect their Client's confidential information— Locked Down: Practical Information Security for Lawyers, 2nd Edition enables them to understand the basics of end-to-end information management covering (in depth, in some instances) policies, physical security, authentication, encryption, mobility, network security, remote access, cloud computing, outsourcing (3rd party vendors), social media, cyberinsurance and much more. Conveniently, the Appendices contain the most important cyber collateral (e.g., NIST Framework, relevant ABA Model Rules, Checklists, Sample Security Policies, etc.) so minimal outside resources need to be consulted to use the book as a blueprint for how to be secure.

While the book is written for lawyers (and all lawyers should read it), it is important for all professionals supporting legal services to also read it to understand the role they play in the ecosystem. For example, the chapter on Secure Disposal and Digital Copiers should put lawyers on notice that all people working for them that touch digital (or otherwise) Client information have a hand in ensuring it is properly managed/secured. This may mean hiring consultants with more in-depth knowledge to ensure devices, etc. are properly configured and data flows are mapped and managed (full-lifecycle). The chapter on The Internet of Everything drives home the point that soon absolutely everything will be "connected" making vigilance about proper information management (including information security) all the more important. The chapter on Cloud Computing provides a terrific overview of the issues to be considered (pp. 222-223 cover "reasonable care") in this context. Given how mobile everyone is today, the chapters on Networks: Wired and Wireless and Remote Access should have readers running to their own devices (including home routers) and/or their IT staff/consultants to ensure everything is appropriately configured and working.

Having read hundreds of relevant articles and books over the years, this is the best (most straightforward and appropriately detailed) book on the subject. If you remove the lawyer-specific (mostly ethical) requirements, it stands as a general book on cybersecurity for any business. Every corporate counsel should read this book, both to ensure their own house is in order and to work with all their 3rd Party legal services vendors, particularly law firms. Cybersecurity is so important that every law firm employee should be properly trained (based on their roles) and certainly every law firm IT and Records/Information Governance professional should read and live the content of the book. I stand by my October 22, 2015 prediction that when a law firm is sued by a client because of a data breach, Locked Down may one day be "entered into evidence to demonstrate the 'reasonable care' law firms should be taking with respect to security." That day may come soon.

P.S. Encryption, encryption, encryption is a mantra rightly reinforced by the authors throughout the chapters that I hope gets into (and stays) in the subconscious of every reader.

November 29, 2016

On November 28th, a local TV station reported that two men were arrested in Tulsa, Oklahoma after breaking into a business to steal two bottles of scotch. Not an unusual crime, but made unusual by the involvement of a drone which followed the men across the street from the break-in to a park where they began drinking the fruits of their crime.

An eyewitness who saw the break-in happening was talking to a drone pilot outside The Vault, where the break-in took place. So when the men took off, the drone did too. David Bell, the drone operator, generally flies his drone to get beauty shots downtown.

But on that day, his drone's live feed guided the police to the men drinking on the bench. One was arrested for public intoxication and the other for the break-in. They reportedly didn't believe that the police had been aided by a drone. But criminals probably should get used to the fact that video cameras – and now drones – may be their undoing.

The guide lays out dozens of technical standards and security principles for connected-device developers in an attempt to reduce security vulnerabilities. The publication will no doubt receive a lot of attention in the wake of the Dyn attack, in which hackers hijacked millions of Internet-connected devices in a major cyberattack on domain name service provider Dyn which temporarily blocked assets to popular websites, including Twitter and the New York Times. The attack prompted NIST to release its guide a month early.

Now we just have to convince money-hungry manufacturers that it makes economic sense to raise their prices to budget-conscious consumers who don't care a fig about security in order to make sure those consumers (and others) are secure. Oh yeah, that ought to work . . .

November 22, 2016

It's not a bug – it's a feature. Right? Many Apple users were not happy to learn that researchers at the Russian proactive software firm Elcomsoft found that iPhones silently upload call logs to the iCloud. According to an SC Mediareport, Apple automatically uploads iPhone call logs to Apple's remote servers where the data may be stored for months with no option for the end user to entirely disable the feature on their device.

The feature is available on all devices running on iOS 9.x and 10.x and there is no official way to disable it other than to disable the iCloud Drive functionality. Elcomsoft says that disabling the feature would greatly affect the usability of the device since Apple delivers a number of features via iCloud Drive.

An individual's communication history can reveal a lot about a user life including sexual preferences, medical issues, infidelities, illegal activities, business dealings, and more, Tripwire Cybersecurity Researcher Craig Young told SC Media.

"Unlike the encryption employed on an iPhone's local memory storage, data stored within iCloud is encrypted in such a way that it can be retrieved with the assistance of Apple or through the use of an authentication token such as what might be stored on the device owner's computer," Young said. "A compromise of Apple's servers could therefore expose the data from a large number of users thereby enabling social engineering attacks as well as extortion schemes."

Not precisely the holiday gift we might have wanted from Apple!

Hat tip to my youngest daughter, Kim Haught, one of the many reasons I have cause to give thanks on Thanksgiving Day! Have a marvelous holiday everyone – I give thanks for all of you too - RTL will be back next week!

November 21, 2016

Our latest Legal Talk Network Digital Detectivespodcast afforded us the opportunity to talk to Doug Austin, CloudNine's Vice President of Professional Services. Doug is also the author/editor of the eDiscovery Daily Blog, one of my cherished e-discovery resources. My favorite part of the podcast was discussing the commitment it takes to blog on such a regular basis (tell me about it!) and why we both do it.

Beyond that, we chatted about the hottest topics in e-discovery, some of which include technology assisted review, e-discovery "gotchas", best practices, the impact of new ethical rules on competence, securing data during discovery and more.

Have a listen while you're recovering from all the turkey and fixings!

November 17, 2016

CNET may have a prospective Christmas gift for you. As its post says, "Big Brother has arrived -- and it's you."

Developed by German company Osmotic Studios, the game Orwell (available as a pre-order for $9.95) has you working as a new recruit in a surveillance agency of the same name, following a series of terrorist attacks in Bonton, the fictional capital of The Nation. As an agent, you are responsible for scraping social media feeds, blogs, news sites and the private communications of the Nation's citizens to find those with connections to the bombings.

You start with your first suspect before working through a web of friends and associates. You're after data chunks -- highlighted pieces of information and text found in news stories, websites and blogs that can be dragged and uploaded into the Orwell system and permanently stored as evidence.

In Orwell, you're tasked with tracking the online lives of The Nation's citizens, monitoring their communications and building a surveillance profile. The game is reported to be unsettling and beguiling.

It all seems above board at first, reading publicly-available information online. But before long you're reading private chat logs, intercepting phone calls and wandering into ethical grey areas. When it comes to timeline posts and private chats, just how accurate is each data chunk you save? And how much can the private messages of others be construed as evidence of criminal intent?

Now you are a member of the online thought police – how will you react? Will you feel moral repulsion? Will you get captivated by your role? How will you balance privacy vs. security?

While Orwell's polygon aesthetic is more abstract than many games, the game still closely mimics an online world that players know intimately. "Facebook stalking" is part of the modern lexicon, and we've all had to work out how much we're willing to share about our lives online. Orwell puts us on the other side of the looking glass.

You may find yourself repeating an oft-heard government line: "If you have nothing to hide, you have nothing to fear." Then again . . .

November 16, 2016

InfoWorldreported yesterday on how IBM's Watson is doing in his crash course on cybersecurity. Cognitive security technology such as Watson for Cybersecurity can change how information security professionals defend against attacks by helping them digest vast amounts of data. IBM Security is currently in the middle of a year-long research project working with eight universities to help train Watson to tackle cybercrime. Watson has to learn the "language of cybersecurity" to understand what a threat is, what it does, and what indicators are related.

The universities are feeding Watson up to 15,000 new documents every month, including threat intelligence reports, cybercrime strategies, and threat databases. The post includes a video explaining how machines learn and what the future of cognitive security technology looks like.

"Generally we learn by examples," says Nasir Memon, professor of computer science and engineering at NYU Tandon School of Engineering. We get an algorithm and examples, and we learn when we are able to look at a problem and recognize it as similar to other incidents.

Many next-generation security defenses already incorporate machine learning, big data, and natural language processing. What's different with cognitive computing is that it can blend human-generated security knowledge with more traditional security data. Think about how much security knowledge passes through the human brain and comes out in the form of research documents, industry publications, analyst reports, and blogs.

Cognitive systems can recognize the rich contextual significance of a blog post or research paper and apply traditional machine-generated data to help analysts get a better understanding of what they are seeing. Cognitive security has the potential to reduce incident response times, optimize the accuracy of alerts, and stay current with threat research.

According to recent statistics from the IBM Institute of Business Value, 40 percent of security professionals believe cognitive security will improve detection and incident response decision-making capabilities, and 37 percent believe cognitive security solutions will significantly improve incident response time. Another 36 percent of respondents think cognitive security will provide increased confidence to discriminate between innocuous events and true incidents. If security analysts were able to stay current on threats and increase accuracy of alerts, they could also reduce response time. More than half (57 percent) of security leaders believed that cognitive security solutions can significantly slow the efforts of cybercriminals.

Interest from other fields is growing: Cognitive computing is slated to become a $47 billion industry by 2020, according to recent figures from IDC. Now that's an impressive number.

November 15, 2016

Interesting question asked by a post on Naked Security. Could your password withstand 100,000,000,000,000 guesses, the kind of scrutiny it might face if it were stolen in a data breach and attacked offline by specialized hardware?

If that seems too hard, how about 1,000,000 guesses? That's the sort of resilience a password needs in order to fend off a much slower online attack against a website's login page.

Still too hard? What about 100 guesses? That's the number of failed attempts that the very latest NIST (National Institute for Standards and Technology) guidelines suggest should trigger a lock-out:

"Unless otherwise specified in the description of a given authenticator, the verifier SHALL effectively limit online attackers to 100 consecutive failed attempts on a single account in any 30 day period."

And of course we can all make a password that withstands 100 attempts, right? Well, not so fast . . .

According to recent research from China and the UK, an attacker with a little of your PII (personally Identifiable Information) has a one in five chance of guessing your password before they hit NIST's 100-guess shutout.

The researchers from China's Fujian Normal and Peking Universities, and the UK's Lancaster University, have developed TarGuess, a framework that intelligently targets individual users based on personal information that an attacker might reasonably have access to, like your name and birthday. According to the researchers, the sad truth is that TarGuess can achieve about 20% success rates against normal users with just 100 guesses, 25% with 103 guesses, and 50% with 106 guesses. This suggests that the majority of normal users' passwords are vulnerable to a small number of targeted online guesses (e.g. 100 as allowed by NIST)

If you're one of the hundreds of millions of people whose details have been stolen in attacks on Adobe, Yahoo, LinkedIn and others, then your publicly available PII could include another of your passwords, a so-called "sister password". Those "sister passwords" can give clues about how you create passwords – add them to TarGuess and the chances of beating the NIST shutout are even higher: TarGuess-III and IV [which use sister passwords] can gain success rates as high as 73% with just 100 guesses against normal users and 32% against security-savvy users

The chasm is the difference between how many guesses your password needs to withstand to deal with an online attack (about 1 million guesses) and how strong it needs to be to deal with an offline attack (about 100 trillion guesses).

Online attacks occur when someone attempts to log in to a website by guessing the password (they wouldn't type the password themselves of course, they'd use software that types far, far faster).

Offline attacks occur when someone steals, buys or otherwise is in possession of a website's password database and can crack them directly using specialist software and hardware.

The researchers concluded that there was little to be gained by making passwords that sit in the vast 'chasm' between the two thresholds; if your password is good enough to withstand 1 million guesses it won't get substantially better until it can withstand 100 trillion.

All of this is part of a broader recent change in thinking about passwords (the latest NIST guidelines are also a good example) that attempts to shift the burden of password security away from users and back onto system owners and administrators.

Funky password formulas with special characters are out, arbitrary resets are out - throttling and proper password storage is in.

Researchers are telling system administrators to take the strain and that they should worry about the offline attacks and leave users the simple job of making passwords that can handle 1 million guesses – just six characters chosen at random should be enough. However, TarGuess and its developers show us that even that might be too much to ask, saying "…normal users' passwords are even not strong enough to resist online guessing and still far away from the "online-offline chasm".

Many of us remain wedded to our truly terrible passwords. Are you guilty of that?

The researchers used password databases from nine massive breaches including CSDN, Yahoo and RockYou most of which occurred within the last six years. In seven of the nine databases 123456 was the most popular password (Seriously??? We haven't learned better than that?), and none of the top 10 passwords in any of the breaches would surprise readers – they are the usual culprits.

If you're a website owner or operator, follow the latest NIST guidelines, don't allow users to use 123456, password, or any other known bad passwords, and use a reputable password strength meter to ensure they can't pick other passwords that might be easy to crack. Use rate limiting and lock-outs to bolster poor passwords and use two-factor authentication so that when a password is cracked it's not enough by itself to give an attacker access.

But we know from lecturing that the resistance to two-factor authentication is hard to defeat. Laziness and/or convenience seem to rule the day - unless compelled by someone in authority.

November 14, 2016

The title pretty much says it all. The November 2016 release of the NIST (National Institute of Standards and Technology) Small Business Information Security: The Fundamentals is welcome indeed. The document clocks in at 32 pages with several helpful appendices (including worksheets and sample policy and procedure statements) extending the length to 54 pages.

Reading this document constitutes a good crash course for any small business. If you know you need to come up to speed with a very current document, here's your opportunity.

November 10, 2016

Thanks to our friend and colleague Jared Correia for posting a very nice review of Locked Down: Practical Information Security for Lawyers (2nd edition), which I wrote with John Simek and Dave Ries. Be sure and check out Jared's Red Cave Law Firm Consulting business while you are there!

Thanks also to Nerino Petro, the CIO of Holmstrom & Kennedy, P.C. for taking the time to read and review the book, which was published by the American Bar Association this year.

To quote a brief snippet: "To meet your ethical obligations and educate yourself about the dangers facing your practice and the steps you need to take to protect yourself, you need to have a basic understanding of the fundamentals of information security and how those affect you and the technology you use. If you want to acquire that understanding: This. Is. The. Book. To. Own."

We really appreciate the kind words Nerino.

Until the end of December, you can purchase the book at a 10% discount by entering the code LD2016 when you are making payment. Perhaps a holiday gift to yourself or a friend? Enjoy!

Sensei Enterprises, Inc.

3975 University Drive
Suite 225
Fairfax, VA 22030
703.359.0700

Disclaimer

This blog is intended to impart general information and does not offer specific legal advice. Use of this blog does not create an attorney-client relationship. If you require legal advice, consult an attorney.